Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 722896

Summary: interface body is not consistent with interface header
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ebenes, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-146.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:24:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-07-18 12:28:02 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.7.19-93.el6_1.2.noarch
selinux-policy-doc-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch
selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-mls-3.7.19-93.el6_1.2.noarch

How reproducible:
always

Steps to Reproduce:
1. look into following file:
/usr/share/selinux/devel/include/services/cups.if
2. search for the definition of following interface:
cups_backend
3. compare the number of parameters described in the header and used in the body
########################################
## <summary>
##      Setup cups to transtion to the cups backend domain
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`cups_backend',`
        gen_require(`
                type cupsd_t;
        ')

        domain_type($1)
        domain_entry_file($1, $2)
        role system_r types $1;

        domtrans_pattern(cupsd_t, $2, $1)
        allow cupsd_t $1:process signal;
        allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;

        cups_read_config($1)
        cups_append_log($1)
')
  
Actual results:
* the number of parameters described in the header is not equal to the number of parameters used in the body 

Expected results:
* the number of parameters described in the header is equal to the number of parameters used in the body
Comment 1 Milos Malik 2011-07-18 12:42:00 UTC 
/usr/share/selinux/devel/include/services/virt.if

#######################################
## <summary>
##  Execute a domain transition to run virt.
## </summary>
## <param name="domain">
## <summary>
##  Domain allowed to transition.
## </summary>
## </param>
#
interface(`virt_run',`
    gen_require(`
        type virtd_t;
                type qemu_t;
    ')

    virt_domtrans($1)

    role $2 types virtd_t;
        role $2 types qemu_t;

')
Comment 2 Miroslav Grepl 2011-07-19 06:12:25 UTC 
I will backport fixes from Fedora.
Comment 3 Milos Malik 2011-07-19 12:57:56 UTC 
/usr/share/selinux/devel/include/admin/accountsd.if

########################################
## <summary>
##      All of the rules required to administrate 
##      an accountsd environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`accountsd_admin',`
        gen_require(`
                type accountsd_t;
        ')
        allow $1 accountsd_t:process { ptrace signal_perms getattr };
        read_files_pattern($1, accountsd_t, accountsd_t)

        accountsd_manage_var_lib($1)
')
Comment 4 Milos Malik 2011-07-19 13:07:53 UTC 
/usr/share/selinux/devel/include/services/devicekit.if

########################################
## <summary>
##      All of the rules required to administrate 
##      an devicekit environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      The role to be allowed to manage the devicekit domain.
##      </summary>
## </param>
## <param name="terminal">
##      <summary>
##      The type of the user terminal.
##      </summary>
## </param>
## <rolecap/>
#
interface(`devicekit_admin',`
        gen_require(`
                type devicekit_t, devicekit_disk_t, devicekit_power_t;
                type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
        ')

        allow $1 devicekit_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_t)

        allow $1 devicekit_disk_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_disk_t)

        allow $1 devicekit_power_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_power_t)

        admin_pattern($1, devicekit_tmp_t)
        files_search_tmp($1)

        admin_pattern($1, devicekit_var_lib_t)
        files_search_var_lib($1)

        admin_pattern($1, devicekit_var_run_t)
        files_search_pids($1)
')
Comment 5 Milos Malik 2011-07-19 13:08:55 UTC 
########################################
## <summary>
##      rw any files inherited from another process
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`files_rw_all_inherited_files',`
        gen_require(`
                attribute file_type;
        ')

        allow $1 { file_type $2 }:file rw_inherited_file_perms;
        allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
        allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
        allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
')
Comment 6 Milos Malik 2011-07-19 13:18:43 UTC 
#######################################
## <summary>
##      The per role template for the openoffice module.
## </summary>
## <param name="user_role">
##      <summary>
##      The role associated with the user domain.
##      </summary>
## </param>
## <param name="user_domain">
##      <summary>
##      The type of the user domain.
##      </summary>
## </param>
#
interface(`openoffice_plugin_role',`
        gen_require(`
                type openoffice_exec_t;
                type openoffice_t;
        ')
        
        ########################################
        #
        # Local policy
        #

        domtrans_pattern($1, openoffice_exec_t, openoffice_t)
        allow $1 openoffice_t:process { signal sigkill };
')
Comment 7 Milos Malik 2011-07-19 13:20:04 UTC 
########################################
## <summary>
##      All of the rules required to administrate 
##      an plymouthd environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin', `
        gen_require(`
                type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
                type plymouthd_var_run_t;
        ')

        allow $1 plymouthd_t:process { ptrace signal_perms };
        ps_process_pattern($1, plymouthd_t)

        files_search_var_lib($1)
        admin_pattern($1, plymouthd_spool_t)

        admin_pattern($1, plymouthd_var_lib_t)

        files_search_pids($1)
        admin_pattern($1, plymouthd_var_run_t)  

')
Comment 8 Milos Malik 2011-07-19 13:26:14 UTC 
########################################
## <summary>
##      All of the rules required to administrate 
##      an setroubleshoot environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      The role to be allowed to manage the setroubleshoot domain.
##      </summary>
## </param>
## <rolecap/>
#
interface(`setroubleshoot_admin',`
        gen_require(`
                type setroubleshootd_t, setroubleshoot_var_log_t;
                type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
        ')

        allow $1 setroubleshootd_t:process { ptrace signal_perms };
        ps_process_pattern($1, setroubleshootd_t)
                
        logging_list_logs($1)
        admin_pattern($1, setroubleshoot_var_log_t)

        files_list_var_lib($1)
        admin_pattern($1, setroubleshoot_var_lib_t)

        files_list_pids($1)
        admin_pattern($1, setroubleshoot_var_run_t)
')
Comment 9 Milos Malik 2011-07-19 14:05:50 UTC 
#######################################
## <summary>
##      Role access for nsplugin
## </summary>
## <param name="userdomain_prefix">
##      <summary>
##      The prefix of the user domain (e.g., user
##      is the prefix for user_t).
##      </summary>
## </param>
## <param name="user_role">
##      <summary>
##      The role associated with the user domain.
##      </summary>
## </param>
## <param name="user_domain">
##      <summary>
##      The type of the user domain.
##      </summary>
## </param>
#
interface(`nsplugin_role',`
        gen_require(`
                type nsplugin_exec_t;
                type nsplugin_config_exec_t;
                type nsplugin_t;
                type nsplugin_config_t;
        ')

        nsplugin_role_notrans($1, $2)

        domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
        domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)

')
Comment 10 Milos Malik 2011-07-19 14:12:26 UTC 
* samba_admin() describes 2 parameters in the header but uses 3 parameters in the body
* seutil_role_allow_setfiles() describes 2 parameters in the header but uses only 1 parameter in the body
Comment 13 Miroslav Grepl 2011-08-10 16:17:43 UTC 
Fixed in selinux-policy-3.7.19-107.el6
Comment 34 errata-xmlrpc 2012-06-20 12:24:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html